Overview #

Privacy-Enhanced Mail (PEM) format is the most common Certificate Format that a Certificate Authority would issue a certificates.

Privacy-Enhanced Mail or PEM Format can contain all of private keys (RSA and DSA), Public Keys (RSA and DSA) and (X.509) Certificates.

Apache and other similar servers use Privacy-Enhanced Mail format certificates. Several Privacy-Enhanced Mail certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and Private Key to be in separate files.

Privacy-Enhanced Mail Characteristics:

• Base64 encoded ASCII files "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
• File System extensions are commonly: .pem, .crt, .cer, .key
• Certificate Chain and Private Keys can all be put into the PEM format.
• Apache and similar servers uses PEM format certificates

Single Binary Certificate #

In the Certificate base form, a digital certificate is a binary data structure containing the fields listed in X.509 certificates. A Certificate is encoded using Distinguished Encoding Rules, a platform-independent standard for encapsulating data. As with other binary data, remember to transfer a binary certificate in binary format, for example using binary FTP, when you copy to or from a system.

If you peek at a data set containing a binary certificate on a z/OS or other EBCDIC platform, the contents appear unintelligible because none of the data is encoded in EBCDIC. On a Windows® or other ASCII platform, some string data might be intelligible if it is encoded in ASCII.

Privacy-Enhanced Mail is the default format for OpenSSL. Privacy-Enhanced Mail stores data in Base64 encoded Distinguished Encoding Rules format, surrounded by ascii headers, so is suitable for text mode transfers between systems.

Generally, If your organization uses certificate chaining, use this format to create CA certificates.

Opening a Privacy-Enhanced Mail in a text editor would see something similar to:

 
-----BEGIN CERTIFICATE----- 
MIIEvDCCBCWgAwIBAgIQBWXQILzgvZ/Yq0T/DF9j4DANBgkqhkiG9w0BAQUFADCB 
jDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTAwLgYDVQQL 
b20vdnNsb2dvLmdpZjANBgkqhkiG9w0BAQUFAAOBgQAfd2Pw4dWhyHrmcbPxqVKG 
: 
Base 64 encoding of DER 
: 
9TGhojnDNQov4umWxtiMEScsx7L7CnanN6qNCMdVcBGrZpTW8IsGwSD2Gjg8fIfb 
/NfVk00RP00+QuzdtbH911tkbqakrjJd5Ck8Nq/jF1FUlgzu5+35cDtcTYB2PD05 
A8NmmxGCAbsKaNp/6Vk98w== 
-----END CERTIFICATE----- 

More Information #

There might be more information for this subject on one of the following:

• Certificate
• Certificate Formats
• Converting Certificate Formats
• Cryptographic Message Syntax
• PEM
• PKCS7
• Privacy-Enhanced Mail